department of natural resources - park fees and retail sales · 13/08/2020 · natural resources...
TRANSCRIPT
Financial Audit Division
Office of the Legislative Auditor State of Minnesota
Department of Natural Resources – Park Fees and Retail Sales Internal Controls and Compliance Audit
August 2020
Financial Audit Division
The Financial Audit Division conducts 40 to 50 audits each year, focusing on government entities in the executive and judicial branches of state government. In addition, the division periodically audits metropolitan agencies, several “semi-state” organizations, and state-funded higher education institutions. Overall, the division has jurisdiction to audit approximately 180 departments, agencies, and other organizations. Policymakers, bond rating agencies, and other decision makers need accurate and trustworthy financial information. To fulfill this need, the Financial Audit Division allocates a significant portion of its resources to conduct financial statement audits. These required audits include an annual audit of the State of Minnesota’s financial statements and an annual audit of major federal program expenditures. The division also conducts annual financial statement audits of the three public pension systems. The primary objective of financial statement audits is to assess whether public financial reports are fairly presented. The Financial Audit Division conducts some discretionary audits; selected to provide timely and useful information to policymakers. Discretionary audits may focus on entire government entities, or on certain programs managed by those entities. Input from policymakers is the driving factor in the selection of discretionary audits.
Photo provided by the Minnesota Department of Administration with recolorization done by OLA. (https://www.flickr.com/photos/139366343@N07/25811929076/in/album-72157663671520964/) Creative Commons License: https://creativecommons.org/licenses/by/2.0/legalcode
The Office of the Legislative Auditor (OLA) also has a Program Evaluation Division. The Program Evaluation Division’s mission is to determine the degree to which state agencies and programs are accomplishing their goals and objectives and utilizing resources efficiently. OLA also conducts special reviews in response to allegations and other concerns brought to the attention of the Legislative Auditor. The Legislative Auditor conducts a preliminary assessment in response to each request for a special review and decides what additional action will be taken by OLA. For more information about OLA and to access its reports, go to: www.auditor.leg.state.mn.us.
OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA • James Nobles, Legislative Auditor
Room 140 Centennial Building, 658 Cedar Street, St. Paul, Minnesota 55155-1603 • Phone: 651-296-4708 • Fax: 651-296-4712
E-mail: [email protected] • Website: www.auditor.leg.state.mn.us • Minnesota Relay: 1-800-627-3529 or 7-1-1
August 13, 2020
Members
Legislative Audit Commission
Sarah Strommen, Commissioner
Department of Natural Resources
This report presents the results of our internal controls and compliance audit of the Department of
Natural Resources park fees and retail sales for the period July 2016 through January 2019. The
objectives of this audit were to determine if the department had adequate internal controls over
selected financial activities and complied with significant finance-related requirements.
This audit was conducted by Lori Leysen (Audit Director), Emily Wiant (Audit Coordinator),
Alec Mickelson (Senior Auditor), Paul Rehschuh (Senior Auditor), and Kris Schutta (Senior Auditor).
However, due to our required work on the state’s financial statements and Federal Single Audit, we
had to delay the completion of this audit report until July 2020.
We received the full cooperation of the Department of Natural Resources staff while performing this
audit.
Sincerely,
Lori Leysen, CPA
Audit Director
Table of Contents
Page
Report Summary ............................................................................................................... 1
Conclusions ................................................................................................................... 1
Audit Overview ................................................................................................................. 3
State Parks Overview and History ................................................................................ 3
Audit Scope, Objectives, Methodology, and Criteria . 5 ..................................................
Receipts ............................................................................................................................. 7
Separation of Duties ...................................................................................................... 9
Safeguarding Nonpublic Information ......................................................................... 10
Deposits ....................................................................................................................... 11
Point of Sale System ................................................................................................... 13
Inventory ......................................................................................................................... 17
Park Fees ......................................................................................................................... 19
List of Recommendations ............................................................................................... 21
Agency Response ............................................................................................................ 23
Internal Controls and Compliance Audit 1
Report Summary
The Department of Natural Resources (department) oversees the 75 state parks and state
recreation areas located throughout Minnesota. To manage and maintain these
recreational areas, the department’s Division of Parks and Trails receives approximately
21 percent of its funding from the General Fund, 14 percent from the Parks and Trails
Legacy Fund, and the majority of the remaining funds come from the Natural Resources
Fund, which includes fees collected at state parks and recreation areas.
The Office of the Legislative Auditor conducted this selected scope audit to determine
whether the Department of Natural Resources had adequate internal controls and
complied with significant finance-related legal requirements related to receipts collected
from state park patrons. The period under examination was July 1, 2016, through
January 31, 2019.
Conclusions
Internal Controls OLA found that internal controls over the areas in our audit scope were generally not
adequate to ensure that it safeguarded assets and ensured compliance with applicable
legal requirements.
Internal Controls
Specifically, this audit identified internal control weaknesses in the department as
follows:
Finding 1. The Department of Natural Resources did not always ensure
employee separation during the receipt process. (p. 9)
Finding 4. The Department of Natural Resources did not have adequate
controls to ensure the accuracy of deposits in the state’s accounting system.
(p. 12)
Finding 5. The Department of Natural Resources did not identify and remove
unnecessary access in its point of sale system. (p. 14)
Finding 7. The Department of Natural Resources did not always perform an
annual physical inventory or, when the department completed a physical
inventory, it did not always investigate identified differences. (p. 17)
Not Adequate
Generally Not Adequate
Generally Adequate
Adequate
2 Department of Natural Resources – Park Fees and Retail Sales
Legal Compliance The Department of Natural Resources generally complied with most finance-related
legal requirements.
Legal Compliance
However, OLA found the following issues of noncompliance, discussed more
thoroughly in the findings and recommendations in this report.
Finding 1. The Department of Natural Resources did not always ensure
employee separation during the receipt process. (p. 9)
Finding 2. The Department of Natural Resources did not always identify and
destroy instances of not public data. (p. 10)
Finding 3. The Department of Natural Resources did not always deposit
receipts in accordance with its daily deposit waiver. (p. 11)
Finding 5. The Department of Natural Resources did not identify and remove
unnecessary access in its point of sale system. (p. 14)
Finding 6. The Department of Natural Resources employees did not always use
their own unique login when using the point of sale system. (p. 15)
Finding 7. The Department of Natural Resources did not always perform an
annual physical inventory or, when the department completed a physical
inventory, it did not always investigate identified differences. (p. 17)
Did Not Comply
Generally Did Not Comply
Generally Complied
Complied
Internal Controls and Compliance Audit 3
Audit Overview
This report presents the results of an
internal controls and compliance audit of
selected activities in the Department of
Natural Resources (department).
Management is responsible for
establishing internal controls to safeguard
assets and ensuring compliance with
applicable laws, regulations, and state
policies.
A strong system of internal controls
begins with management’s philosophy,
operating style, and commitment to
ethical values. It also includes processes
to continuously assess risks and
implement control activities to mitigate risks. A successful internal controls system
includes iterative processes to monitor and communicate the effectiveness of control
activities.
State Parks Overview and History
The Department of Natural Resources oversees the 75 state parks and recreation areas
located throughout Minnesota. We will refer to the state parks and recreation areas as
state parks going forward. Each year, approximately ten million visitors use state parks.
Exhibit 1 identifies the 75 state parks and recreation areas in Minnesota.
The Division of Parks and Trails, within the department, manages the state parks and
recreation areas. Its vision is to create unforgettable park, trail, and water recreation
experiences that inspire people to pass along the love of the outdoors to current and
future generations. The division receives approximately 21 percent of its funding from
the General Fund and another 14 percent from the Parks and Trails Legacy Fund. The
division receives most of the remaining revenue from the Natural Resources Fund.
State parks fees account for 17 percent of the Natural Resources Fund, which includes
fees collected for state park permits and camping, recreation, and retail activities.1
The department has a central office located in Saint Paul, which oversees the
administration of state parks. State park managers, located at most state parks, oversee
the day-to-day operations. Forty-five parks are self-managed and the remaining parks
are managed by another state park.
1 Department of Natural Resources, Department of Natural Resources Biennial Budget 2018-2019
(St. Paul), 5, https://files.dnr.state.mn.us/aboutdnr/budget/fy18-19-biennial-op-budget.pdf, accessed
May 21, 2020.
Control Environment
Risk Assessment
ControlActivities
Information and Communication
Monitoring
4 Department of Natural Resources – Park Fees and Retail Sales
Exhibit 1: Minnesota State Parks and Recreation Areas
SOURCE: Minnesota Department of Natural Resources.
Visited by OLA
Not visited by OLA
Internal Controls and Compliance Audit 5
Audit Scope, Objectives, Methodology, and Criteria
Receipts This audit focused on the collection of revenue from park fees and retail sales. We
designed our work to address the following questions:
Did the department have adequate controls over state park receipts?
Did the department charge the correct park fees?
Did the department collect, safeguard, and properly deposit all receipts in
accordance with legal and administrative requirements?
To answer these questions, we interviewed and performed testing at nine locations. We
judgmentally selected the central office and the two parks that generated the most revenue
during our audit scope: Itasca State Park and Gooseberry Falls State Park. These three
locations account for 15 percent of revenue collected. In addition, we randomly selected an
additional six parks, which was approximately 4 percent of revenue collected.
The Office of the Legislative Auditor (OLA) interviewed central office and park staff to
gain an understanding of the controls in place to ensure compliance with applicable
statutes, and state and department policies and procedures. To determine whether the
department had adequate internal controls and complied with legal and administrative
requirements, we:
Tested physical controls over receipts at sampled state parks by observing the
presence of safes and the collection of receipts, and conducted spot checks of
receipts on hand.
Analyzed camping, lodging, and tour fees at sampled parks and reviewed
documentation to ensure discounts were appropriate.
Reviewed documentation on-site at sampled parks, including information on
self-registration envelopes collected, to determine whether parks protected not
public data.
Randomly tested 450 of 8,850 sampled state park and the central office deposits
to determine their timeliness.
Reviewed the central office reconciliation process by testing 40 of 620 daily
reconciliations and 6 of 31 monthly reconciliations.
Reviewed security access to the point of sale system.
Randomly selected 52 of 215 active user accounts from sampled state parks and
tested the appropriateness of the roles assigned.
Inventory This audit focused on the department’s controls over its permit and retail inventory at
state park locations. We designed our work to address the following question:
Did the department design and implement controls to safeguard its permit and
retail inventory?
6 Department of Natural Resources – Park Fees and Retail Sales
To answer this question, we obtained inventory reports from the department’s point of sale
system for each of the locations we visited. We conducted a physical inventory count for a
random sample of 212 retail inventory items to determine the accuracy of the inventory
counts in the point of sale system. We also requested documentation from the central
office for all annual physical inventories conducted by the parks during the audit scope.
We reviewed the documentation to determine the extent of the central office’s review.
We also requested documentation from the central office for the 2016, 2017, and 2018
park permit counts performed to ensure all counts were received and completed.
Rate Setting The audit focused on how the department set camping and lodging fees not established in
statute. We designed our work to address the following question:
Did the department set camping and lodging fees in accordance with fee-setting
guidelines established in state statute?
To answer this question, OLA interviewed department staff to assess how the
department establishes fees for camping and lodging. In addition, for each year in our
audit scope, we reviewed data from the point of sale system for parking permits,
camping, lodging, reservations, tours, and other fees, and compared those amounts
charged to the relevant Commissioner’s Order fee documentation on a sample basis.
We conducted this performance audit in accordance with generally accepted
government auditing standards.2 Those standards require that we plan and perform the
audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that the evidence
obtained provides a reasonable basis for our findings and conclusions based on our
audit objectives. When sampling was used, we used a sampling method that complies
with generally accepted government auditing standards and that supports our findings
and conclusions. That method does not, however, allow us to project the results we
obtained to the populations from which the samples were selected.
We assessed internal controls against the most recent edition of the internal control
standards published by the U.S. Government Accountability Office.3 To identify legal
compliance criteria for the activity we reviewed, we examined state and federal laws,
state administrative rules, state contracts, and policies and procedures established by the
departments of Management and Budget, and Administration.
2 Comptroller General of the United States, Government Accountability Office, Government Auditing
Standards (Washington, DC, December 2011).
3 Comptroller General of the United States, Government Accountability Office, Standards for Internal
Control in the Federal Government (Washington, DC, September 2014). In September 2014, the State of
Minnesota adopted these standards as its internal control framework for the executive branch.
Internal Controls and Compliance Audit 7
Receipts
State parks collect a majority of receipts generated from the sales of permits, camping,
lodging, and retail sales. Customers can pay by cash, check, or credit card in a state park
office, gift shop, or with a self-registration envelope. Customers can also purchase permits
and reservations online, through the call center, or at the central office.4 Customers can
purchase gift cards online, at a state park, or at the central office. The department records
all receipts in its point of sale system. Exhibit 2 shows the total receipts collected at state
parks from July 1, 2016, through January 31, 2019.
Exhibit 2: State Park Receipts by Location, July 1, 2016, through January 31, 2019
NOTES: The locations that are in bold indicate those visited by OLA. We excluded state parks and state recreation areas that were managed by another location or did not generate revenue during our audit scope.
SOURCE: Department of Natural Resources point of sale system.
4 The Department of Natural Resources manages the website. However, an external vendor manages the
call center. Our audit did not include testing of the website or call center other than reviewing the
accuracy of the revenue coming into the department’s point of sale system.
Location Total Receipts
Website $28,338,623 Itasca State Park 6,836,656 Gooseberry Falls State Park 4,028,326 Call Center 3,449,951 Tettegouche State Park 2,047,941 Jay Cooke State Park 1,440,878 Fort Snelling State Park 1,391,524 Whitewater State Park 1,363,554 Forestville Mystery Cave State Park 1,307,258 Interstate State Park 1,206,672 William O'Brien State Park 1,062,662 St. Croix State Park 1,061,958 Afton State Park 883,169 Minneopa State Park 806,918 Sibley State Park 778,922 Wild River State Park 762,132 Lake Carlos State Park 729,934 Frontenac State Park 725,487 Lake Bemidji State Park 704,857 Split Rock Lighthouse State Park 691,497 Bear Head Lake State Park 686,761 Maplewood State Park 609,375 Soudan Underground Mine State Park 602,323 Flandrau State Park 534,313 Scenic State Park 516,336 Red River State Recreation Area 513,959 Nerstrand Big Woods State Park 504,478 Father Hennepin State Park 474,507 Mille Lacs Kathio State Park 464,264 Myre-Big Island State Park 441,943 Central Office 429,042 Lake Shetek State Park 423,678
Location Total Receipts
Buffalo River State Park $ 367,520 Cascade River State Park 359,947 Temperance River State Park 355,016 Judge C.R. Magney State Park 329,841 Lake Maria State Park 329,313 McCarthy Beach State Park 318,897 Crow Wing State Park 310,757 Banning State Park 310,477 Grand Portage State Park 292,076 Camden State Park 290,350 Savanna Portage State Park 274,758 Lake Bronson State Park 273,585 Glendalough State Park 268,523 Sakatah Lake State Park 229,987 Blue Mounds State Park 229,510 Rice Lake State Park 191,419 Big Bog State Recreation Area 184,834 Lac qui Parle State Park 181,149 Great River Bluffs State Park 172,784 Charles A. Lindbergh State Park 155,753 Beaver Creek Valley State Park 153,452 Fort Ridgely State Park 149,261 Zippel Bay State Park 126,757 Split Rock Creek State Park 120,335 Hayes Lake State Park 99,755 Upper Sioux Agency State Park 81,461 Cuyuna Country State Recreation Area 80,109 Big Stone Lake State Park 74,519 Hill-Annex Mine State Park 40,540 Kilen Woods State Park 34,249 Old Mill State Park 16,667 Schoolcraft State Park 12,520
Total $72,675,005
8 Department of Natural Resources – Park Fees and Retail Sales
After recording the receipt transactions in the point of sale system, the transactions are
uploaded to the department’s revenue subsystem, and then to the state’s accounting
system. The department performs various daily and monthly reconciliations at the state
parks and the central office to ensure the accuracy of park receipts as the receipts move
from local banks to the state treasury and as the documented transactions move from the
point of sale system to the department’s revenue subsystem and finally into the state’s
accounting system.
Exhibit 3 illustrates the process to collect, process, deposit, and record receipts.
Exhibit 3: Receipt Process
SOURCE: Office of the Legislative Auditor.
Receipt Collecting
• State parks, central offfice, the call center, and the website collect receipts.
Recording
• State parks, central office, the call center, and the website record transactions in the point of sale system.
Depositing
• State parks deposit cash and check receipts at local banks.
• The state bank deposits all credit card receipts in the state treasury.
• The department deposits all cash and check receipts in the state treasury.
Data Processing
• Revenue data in the point of sale system is summarized by payment type and funding source and uploaded into the department's revenue subsystem.
Financial Reporting
• Revenue totals by funding source are uploaded from revenue subsystem to the state's accounting system.
Internal Controls and Compliance Audit 9
Separation of Duties
According to state policy, an employee separate from the receipt and entry process
should review and approve the daily deposits.5 Furthermore, for the receipt process at
state parks and recreation areas, the department’s revenue manual requires separate
individuals to handle cash, deposits, and reconciliations. When separation is not
possible, park managers are required to implement compensating controls to reduce risk
such as performing an unscheduled and unannounced cash count and review all
shortages in revenue deposits for any potential trends related to an employee.6
FINDING 1
The Department of Natural Resources did not always ensure employee separation during the receipt process.
At six of the eight parks sampled, we identified instances where the deposit did not
always include evidence that an employee separate from the receipt and entry process
reviewed and approved the deposits. At four of the six parks, 224 deposits sampled
indicated no such separation of duties.
Limited staffing prevents adequate separation of duties at some state park locations,
especially during the off-season. Often, a single staff person oversees all park
operations during winter months. This includes the collection of receipts, preparation
of deposits, and deposit at the local bank. We saw no evidence of compensating
controls when state parks experienced limited staffing to the extent that they could not
adequately separate duties.
There is a greater risk that receipts could be mishandled or misappropriated when the
same employee collects and deposits the receipts.
RECOMMENDATION
The Department of Natural Resources should implement compensating controls when park staff cannot adequately separate duties involved in collecting and depositing receipts.
5 Minnesota Management and Budget, Statewide Operating Policy 0602-1, Recording and Depositing
Receipts, issued July 1, 2011.
6 Department of Natural Resources, Division of Parks and Trails, Summary of Minnesota State Parks and
Trails Revenue Collection & Reporting Policies (St. Paul, 2015), 8.
10 Department of Natural Resources – Park Fees and Retail Sales
Safeguarding Nonpublic Information
The department provides self-registration envelopes for customers to purchase permits
in lieu of paying at a state park office. Customers can either insert cash or check or
leave credit card information on the outside of the envelope. The customer then inserts
the envelope into a secured box. After the envelopes are collected, state park
employees process the transactions through the point of sale system, which does not
store credit card numbers.
After confirming that the transactions were processed, the state parks retain the used
envelopes for audit purposes. However, the department requires park staff to destroy or
make illegible all instances of credit card data on self-registration envelopes through
shredding or other permanent destruction methods.7
FINDING 2
The Department of Natural Resources did not always identify and destroy instances of not public data.
In most cases, we observed that state parks appropriately destroyed customer credit card
data. However, we identified 398 self-registration envelopes that had visible credit card
numbers. This represents approximately 2.5 percent of self-registration envelopes we
reviewed. In some cases, the state parks retained documentation of credit card numbers
after noting that the respective park could not process the transaction. Generally, this
occurred when a customer provided an invalid credit card number. In these
circumstances, the department’s policies do not address how long parks should retain
the documentation.
State park employees did not consistently adhere to the department’s internal policy and
the parks did not provide oversight to ensure proper handling of credit card information
by employees. According to the state parks, this was often due to unprocessed
transactions, employees forgetting to destroy the data, or employees not understanding
the policy.
RECOMMENDATIONS
The Department of Natural Resources should destroy credit card information immediately following the processing of a transaction.
The Department of Natural Resources should revise its policy on how long a park should retain credit card information for unprocessed transactions.
7 Department of Natural Resources, Division of Parks and Trails, Summary of Minnesota State Parks and
Trails Revenue Collection & Reporting Policies (St. Paul, 2015), 5.
Internal Controls and Compliance Audit 11
Deposits
State statute requires agencies to deposit cash and check receipts exceeding $1,000
daily. However, an agency can request a waiver if it can demonstrate that the cost of
making daily deposits exceeds the lost interest earnings and the risk of loss or theft of
the receipts.8
Due to the remote locations and limited staff at some state parks, the department has an
approved waiver from the daily deposit requirement, which also includes the central
office. The waiver allows most state parks up to four days to deposit receipts exceeding
$1,000 during the period from May 1 through September 30, and up to 14 days to
deposit receipts during the period from October 1 through April 30. The waiver allows
Itasca State Park only two days to deposit receipts from May 1 through September 30,
and four days from October 1 through April 30. State parks keep receipts in a safe until
deposited.
FINDING 3
The Department of Natural Resources did not always deposit receipts in accordance with its daily deposit waiver.
We identified instances at all sampled locations where staff did not deposit receipts
within the required timeframe. Out of the 450 deposits tested, we identified 12 that
were not deposited timely. These untimely deposits were between one and eight days
late. The location with the highest rate had 5 untimely deposits out of 60 sampled
deposits totaling $7,458.
In addition, we were unable to conclude on the timeliness of 34 samples due to data
limitations in the point of sale system. The data available in the system, prior to the
March 2018, included transaction dates but not payment types. Because of this, we
were not always able to determine when the collected cash and check receipts exceeded
$1,000.
Furthermore, we observed unprocessed self-registration envelopes at two state parks.
The combined total of unprocessed cash, check, and credit card receipts for the two
locations was an estimated $11,924.9 This puts receipts at a higher risk because they
could become unaccounted for or misappropriated if loss or theft occur.
The department stated that limited staffing and seasonality at some park locations
prevented staff from making timely deposits.
8 Minnesota Statutes 2019, 16A.275.
9 We calculated the estimate based on one daily $7 permit per envelope.
12 Department of Natural Resources – Park Fees and Retail Sales
RECOMMENDATION
The Department of Natural Resources should ensure timely deposits in accordance with state statute.
State policy requires an agency to establish policies and procedures to ensure the
accuracy of deposits in the state’s accounting system.10 These policies and procedures
should include an employee, who is separate from the collection, deposit, and entry of
receipts, to reconcile deposits in the state’s accounting system at least once a month.
At each state park location where receipts are collected, an employee performs a daily
reconciliation by comparing cash and checks received to the bank deposit and to the
point of sale system. At some parks, the reconciliation includes a comparison of cash
and checks to the department’s revenue subsystem, as well. The parks do not include
credit card transactions in the daily reconciliations. Instead, the department relies on
the point of sale system vendor to identify any differences between credit card
transactions in the point of sale system and the transactions cleared through the credit
card processing vendor.
The central office then performs a daily reconciliation of credit card receipts in the state
treasury to its revenue subsystem and a monthly reconciliation by comparing all
receipts, including cash, checks, and credit cards, recorded in its revenue subsystem to
the state’s accounting system. The department adjusts the revenue subsystem to match
the bank balance but does not always investigate identified differences.
FINDING 4
The Department of Natural Resources did not have adequate controls to ensure the accuracy of deposits in the state’s accounting system.
The department did not identify an error in its point of sale system that resulted in
approximately $80,000 of lost revenue in calendar year 2017. From May 2017 through
August 2017, the point of sale system automatically voided some credit card payments.
However, the system still showed these transactions as paid. For example, if a customer
reserved a campsite using a credit card, the system showed that the reservation was
paid, but the system voided the transaction before the department could deposit the
transaction in the bank. Although the central office identified variances when
performing daily reconciliations during this time, it took no action to identify the cause
of the variances. Instead, the department continued to make adjustments in its revenue
subsystem to match the bank balance. There is no established threshold for an
adjustment and the department did not always investigate identified differences.
10 Minnesota Management and Budget, Statewide Operating Policy 0602-1, Recording and Depositing
Receipts, issued July 1, 2011.
Internal Controls and Compliance Audit 13
In August 2017, a customer contacted the department to modify their park reservation.
In modifying the reservation, the department saw that the customer was never charged.
The department contacted the point of sale system vendor but believed the issue to be
isolated. The department was not aware of the pervasiveness of the issue. Instead, the
vendor identified the error and credited the state $20,696 in October 2018. As of the
end of our audit, the department did not calculate the entire error or pursue payment for
the total amount of the error.
Because the department does not have an established threshold to determine when
identified differences should be investigated and no internal control to provide oversight
over the reconciliation process, the department increases its risk of lost revenue or
misappropriated funds.
RECOMMENDATIONS
The Department of Natural Resources should implement procedures to complete a full reconciliation of state park receipts between the point of sale system and the state’s accounting system.
The Department of Natural Resources should determine the amount of remaining lost revenue and seek vendor reimbursement.
Point of Sale System
In 2011, the department contracted with an external vendor for its point of sale system.
The system records all retail inventory, reservations, and sales. The department
upgraded to a web-based system in March 2018, which allows an active user to access
the system from a state or non-state computer. The point of sale system has defined
user roles. Based on an employee’s position and job duties, the department assigns
them as an administrator, super manager, manager, or cashier. Administrators have the
most access and are able to modify their own role along with all other roles. Each role
is customizable, which allows the department to assign permissions other than those
initially assigned to a role.
According to state policy, “Identity and access management controls must be in place to
ensure users, systems, applications and networks have appropriate access to only that
which is necessary to perform their function.”11 Furthermore, the creation and
modification of accounts must be documented and approved, user accounts must be
reviewed at least annually, inactive accounts must be disabled after 90 days and deleted
within one year, and accounts no longer required must be removed or disabled within
eight hours depending on cause.12
11 Minnesota IT Services, “Identity and Access Management Policy,” version 1.4, effective January 1,
2016.
12 Minnesota IT Services, “Enterprise Identity and Access Management Standard,” version 1.3, effective
January 1, 2016.
14 Department of Natural Resources – Park Fees and Retail Sales
FINDING 5
The Department of Natural Resources did not identify and remove unnecessary access in its point of sale system.
The department did not implement the state policy on user access nor did it create an
internal policy or procedure. The department assigned two administrators at the central
office to manage the point of sale system and to grant super manager access to all park
managers. Super managers and managers are then able to assign and modify roles to
their employees. The administrators do not approve access or modifications for any of
the roles assigned. Furthermore, there was no documentation of who had access and, if
a role had been modified. The department was not able to produce an audit trail of the
permissions assigned to any one employee.
We reviewed the security access assigned to employees at the central office and the
eight state parks we visited. Of the 52 user accounts we sampled, we identified the
following unnecessary access at four parks and the central office:
Six former employees had active user accounts.
Three employees, who transferred parks, retained user accounts at the former
park.
The department retained nine generic accounts that were no longer in use.
Two employees at the central office had excessive administrator access rights
based on their position title; the department was not able to identify why these
employees needed this level of security access.
By not identifying and removing unnecessary access to the system, the department
increased the risk that employees could inappropriately modify information in the point
of sale system.
RECOMMENDATIONS
The Department of Natural Resources should perform an annual review of user accounts to ensure appropriate access to the point of sale system and immediately terminate unnecessary access.
The Department of Natural Resources should design and implement a control to track access authorizations, modifications, and terminations in its point of sale system.
Internal Controls and Compliance Audit 15
According to the department’s internal policy, “All employees…responsible for
processing transactions…must be assigned a unique log on id and use only that id when
completing transactions.”13 Although some locations may only have one cash register,
it is still required that employees use their own login credentials when processing
transactions through the point of sale system.
FINDING 6
The Department of Natural Resources employees did not always use their own unique login when using the point of sale system.
At three of the state parks tested, we observed employees using the login credentials of
another employee. Furthermore, on the dates we visited, we observed one park’s
employees leaving the cash drawer ajar throughout the day. State parks stated that it
was easier to have one person log in for the day as opposed to logging in and out each
time a transaction occurs.
RECOMMENDATION
The Department of Natural Resources should enforce the requirement for employees to use their own unique login when using the point of sale system.
13 Department of Natural Resources, Division of Parks and Trails, Summary of Minnesota State Parks and
Trails Revenue Collection & Reporting Policies (St. Paul, 2015), 4.
Internal Controls and Compliance Audit 17
Inventory
All state parks manage inventory. For retail inventory, some parks may only sell a few
souvenirs in the park office while larger parks, such as Itasca and Gooseberry Falls,
have a separate gift shop(s) selling many retail items. We identified 62 parks and
recreation areas with retail sales during the audit scope. All locations sell daily and
annual permits, which include sales through the central office, the call center, and the
department’s website, as well.
State parks maintain retail inventory records in the point of sale system. State parks
record inventory in the system when items are received and the system updates
quantities on hand when items are sold. At the end of the calendar year, the department
requires a physical count of inventory. However, there is no documented policy
identifying this requirement. Each park will generate inventory reports directly from
the point of sale system, count the actual inventory on hand, and update the records in
the system. Itasca State Park, Gooseberry Falls State Park, and the central office hire a
contractor to perform the physical inventory count. State parks send completed
inventory reports to the central office.
State parks do not maintain permit inventory in the point of sale system. Instead, the
parks retain purchase orders and invoices to assist in a physical, year-end count of
annual permits, required by the department. However, there is no documented policy
identifying this requirement. State parks will calculate the ending permit totals based
on beginning totals and purchases, transfers, sales, discounted permits, and voids that
occur during the year. Each park will then compare the calculated total with its
physical count of remaining permits. State parks send completed counts to the central
office, and the parks retain the permits for sale in the following year.
FINDING 7
The Department of Natural Resources did not always perform an annual physical inventory or, when the department completed a physical inventory, it did not always investigate identified differences.
We found that the central office did not verify whether all state parks completed an
annual, retail inventory. In addition, the central office did not always review the
completed inventory reports. For calendar years 2016, 2017, and 2018, the central
office did not have documented evidence that 65 of an expected 186 annual physical
retail inventories were completed.
We also found that when state parks identify retail inventory differences, they are not
required to investigate or reconcile any variances. Instead, the park adjusts the count in
the system to reflect the physical count. In our testing, we identified three state parks
with differences. At one park, 25 of the 40 inventory items tested did not match the
count recorded in the system.
18 Department of Natural Resources – Park Fees and Retail Sales
Additionally, while the central office did ensure that parks conducted all permit counts
during our audit scope, it did not review the counts or follow up on any noted
differences. We reviewed and tested the 2017 permit counts at the sampled state parks
and identified that sampled state parks were not able to account for 209 annual permits
out of the 38,050 available for sale. Without oversight of the annual retail inventories
and permit counts, there is an increased risk that inventory could be lost or stolen.
RECOMMENDATION
The Department of Natural Resources should document an inventory policy to address the accuracy of inventory records.
Internal Controls and Compliance Audit 19
Park Fees
Minnesota statutes establish state park vehicle permit fees, and the department
establishes fees for camping, lodging, and other state park uses. Minnesota statutes
require the department to set fees “in a manner and amount consistent with the type of
facility provided for the accommodation of guests in a particular park and with similar
facilities offered for tourist camping and similar use in the area.”14
The department reviews park fees for camping, lodging, and tours each year and
establishes fees two years in advance. The department considers public demand and
compares fees at state parks with those charged by other local public and private
providers. We did not identify any issues in how rates were set and charged.
14 Minnesota Statutes 2019, 85.052. subd. 3.
Internal Controls and Compliance Audit 21
List of Recommendations
The Department of Natural Resources should implement compensating controls when park staff cannot adequately separate duties involved in collecting and depositing receipts. (p. 9)
The Department of Natural Resources should destroy credit card information immediately following the processing of a transaction. (p. 10)
The Department of Natural Resources should revise its policy on how long a park should retain credit card information for unprocessed transactions. (p. 10)
The Department of Natural Resources should ensure timely deposits in accordance with state statute. (p. 12)
The Department of Natural Resources should implement procedures to complete a full reconciliation of state park receipts between the point of sale system and the state’s accounting system. (p. 13)
The Department of Natural Resources should determine the amount of remaining lost revenue and seek vendor reimbursement. (p. 13)
The Department of Natural Resources should perform an annual review of user accounts to ensure appropriate access to the point of sale system and immediately terminate unnecessary access. (p. 14)
The Department of Natural Resources should design and implement a control to track access authorizations, modifications, and terminations in its point of sale system. (p. 14)
The Department of Natural Resources should enforce the requirement for employees to use their own unique login when using the point of sale system. (p. 15)
The Department of Natural Resources should document an inventory policy to address the accuracy of inventory records. (p. 18)
Minnesota Department of Natural Resources | Commissioner’s Office Equal Opportunity Employer 500 Lafayette Road North, St. Paul, Minnesota 55155 This material is available in alternate formats. www.dnr.state.mn.us
1
August 11, 2020
James R. Nobles
Legislative Auditor
Office of the Legislative Auditor
Centennial Building, Room 140
658 Cedar St.
St. Paul, MN 55155-1603
Subject: Minnesota Department of Natural Resources (DNR) response to the Office of the Legislative Auditor
(OLA) audit of park fees and retail sales
Dear Auditor Nobles:
Thank you for the opportunity to review and respond to the Office of Legislative Auditor’s (OLA) findings and
recommendations resulting from the recent park fees and retail sales audit for the period of July 2016 through
January 2019. We appreciate the professional review conducted in the OLA audit. The Minnesota Department of
Natural Resources (DNR) takes very seriously our responsibility to implement internal controls to safeguard
public assets and ensure compliance with laws, rules and policies. Therefore, we also appreciate the objective
evaluation and recommendations for improvement that the OLA audit provides. It is in this spirit of continuous
improvement that the DNR offers the following specific responses to the audit findings and recommendations.
Audit Finding #1
The DNR did not always ensure employee separation during the receipt process.
Audit Recommendation: The DNR should implement compensating controls when park staff cannot
adequately separate duties involved in collecting and depositing receipts.
DNR response: The agency concurs with the finding that the Division of Parks and Trails did not always ensure
separation of duties in the receipting process, and the recommendation that additional compensating controls
are needed.
The DNR will take the following Corrective Actions:
1.1 Implement a more robust tracking and accountability procedure to ensure compliance with
compensating controls. As the OLA audit acknowledges, separation of duties is not always possible at
state parks that have limited staffing, especially during off-peak times of the year. To address this, unit
supervisors are required to submit a risk assessment plan, including compensating controls to address
identified risks associated with low staffing, for the sites that collect and deposit receipts. The Division of
2 | P a g e
Parks and Trails will take the following actions to strengthen both the compensating controls in these
plans and the implementation of these controls across the system:
a. The Division and Fiscal Services (DFS) section manager will lead a team to develop and document a
system of standardized compensating controls for collecting and depositing receipts consistent with
the approved Parks and Trails deposit waiver no later than December 1, 2020. These policies and
procedures will include a system to monitor compliance and accountability and include corrective
actions for non-compliance. The DFS section manager will ensure that the Division of Parks and
Trails fully implements compensatory controls regarding separation of duties by January 1, 2021.
b. The DFS section manager will oversee the revision of the Parks and Trails Revenue Manual by
December 1, 2020, and will provide revenue-handling training, including the use of compensating
controls, to all division staff responsible for implementing and overseeing revenue operations no
later than January 1, 2021, and annually thereafter. The training will also be provided to new
employees, as applicable, during the onboarding process.
c. The division will include periodic communication on the importance of compliance with fiscal
controls to all Parks and Trails staff through the division newsletter and email. These
communications will include reminders of policies, procedures and best practices.
d. Unit supervisors will provide ongoing oversight, monitoring and documentation of all revenue
operations within the unit, consistent with the monitoring systems and the standardized
compensating controls addressed in Corrective Action 1.1a. Unit supervisors will complete risk
assessments for each location by January 1, 2021. They will also implement the policies and
procedures articulated in Corrective Action 1.1b to ensure staff compliance with all revenue
handling responsibilities, including compensating controls, no later than January 1, 2021.
e. District supervisors will be responsible for quarterly monitoring and documentation of compliance
by unit supervisors within the district beginning January 1, 2021. If non-compliance is identified, the
nature of the non-compliance and the resulting corrective actions will be documented and reviewed
with the regional manager, and also shared with the DFS manager.
f. The DFS manager will at least annually review documentation, identify any patterns in incidences of
non-compliance and system-level corrective actions needed to avoid future noncompliance, and
adjust training and communications accordingly. The DFS manager will also maintain the records on
the I:\drive to document and ensure compliance.
Audit Finding #2
The DNR did not always identify and destroy instances of not-public data.
Audit Recommendation: The DNR should destroy credit card information immediately following the
processing of a transaction.
Audit Recommendation: The DNR should revise its policy on how long a park should retain credit card
information for unprocessed transactions.
3 | P a g e
DNR response: The agency concurs with the finding that staff did not consistently comply with the existing
policies and procedures regarding retention of data, and the recommendations that the policies should always
be followed and also should be revised to address unprocessed transactions.
The DNR will take the following Corrective Actions, some of which have already been implemented:
2.1 Revise the practice of redacting data. It is evident that some Division of Parks and Trails procedures
need revision to better guide staff in meeting the requirement of protecting not-public data. Based on
the information shared at the OLA field exit interview last summer, the following actions have already
been taken:
a. In October 2019, the division discontinued the practice of using a black permanent marker to redact
credit card data on self-pay envelopes. Not-public data on the envelopes is now cut away from the
original document and shredded once the transaction has been validated.
b. In October 2019, staff were reminded to keep all not-public data needed for future verification
locked in a secure location and only make it available to those who need it for a business purpose.
This policy will be included in the revised Parks and Trails Revenue Manual and will be reinforced in
associated training materials delivered at least annually.
2.2 Ensure compliance with redaction of not-public data requirements. It is the local unit supervisor’s
responsibility to ensure that staff comply with procedures developed to protect non-public data.
a. Unit supervisors will monitor compliance to ensure that staff processing self-pay envelopes
promptly destroy not-public data after transactions are validated. The DFS manager will send an
email to all unit supervisors about the importance of this practice by September 15, 2020, and at
least annually thereafter. This need will also be emphasized in annual training.
b. Unit supervisors will proactively communicate and reinforce the importance of complying with the
redaction requirement, and will document non-compliance along with the appropriate corrective
action in the employee’s personnel file, up to and including progressive disciplinary actions if
necessary. Communications will occur at least annually, in association with annual training.
c. District supervisors will be responsible for quarterly monitoring and documentation of compliance
by unit supervisors within their district (as developed in corrective action 1.1b above) and for
implementing corrective actions for non-compliance. This quarterly monitoring for compliance with
redaction of not-public data requirements will begin no later than January 1, 2021.
2.3 Revise policy on retaining credit card information for unprocessed transactions. The Division of Parks
and Trails will clarify the policy for retaining, protecting and destroying not-public data related to the
revenue system. Some actions have already been taken, and others are in process, as follows:
a. In October 2019, the DFS section provided the following guidance to staff on credit card transactions
that do not correctly process: Following the first attempt, staff verify that the credit card numbers
were entered correctly. Following the second attempt, staff attempt to contact the cardholder to
verify the number. If these attempts are unsuccessful, staff note the failure on the self-pay envelope
4 | P a g e
and deposit records and then destroy the not-public data. The self-pay envelopes are retained for
audit.
b. The DFS section manager will include this policy and procedure in the revised Parks and Trails
Revenue Manual and associated training materials, to be completed by December 1, 2020, and will
ensure that unit supervisors receive training on the new procedures by January 1, 2021.
c. The unit supervisor will ensure that all revenue-handling staff understand the policies on retaining,
protecting and destroying not-public data related to the park revenue system.
2.3 Continue to explore alternatives to self-pay envelopes. A move away from self-pay envelopes would
avoid the need to collect not-public data in the first place, thereby eliminating any risk that the data are
not properly destroyed. The division began a pilot project to use electronic pay stations in five parks in
the fall of 2019. In recent months, the DNR has had some success in using QR codes to encourage online
payments via internet-enabled mobile phones. The DFS manager will continue to explore alternatives to
using envelopes to conduct self-pay transactions and to provide more secure fee collection boxes at
locations where electronic options are not available, and, in some instances, may not be feasible. By
April 1, 2021, the DFS manager will convene a group to develop a plan to reduce the use of fee
collection boxes over the next five years.
2.4 Reinforce and enhance staff training. The DFS section manager will develop a division-specific
Enterprise Learning Management (ELM) training and a revised Parks and Trails Revenue Manual to
clarify the retention policies and procedures with regard to processing transactions. The training will be
developed by December 1, 2020, with the expectation that unit supervisors have completed it by
January 1, 2021, and that all seasonal staff have completed it by May 31, 2021, and annually thereafter.
Unit supervisors will ensure that all staff who process transactions complete this training by May 31 of
each year. The ELM system will allow unit supervisors to track who has completed the training each
spring, to ensure staff are training on an annual basis. The DFS reservation coordinator will disable user
logins for all staff who do not complete training by May 31 each year.
Audit Finding #3
The DNR did not always deposit receipts in accordance with its daily deposit waiver.
Audit Recommendation: The DNR should ensure timely deposits in accordance with state statute.
DNR Response. The agency concurs with the finding that staff did not always deposit receipts in accordance
with required timelines and the recommendation to ensure timely deposits in accordance with state statute.
The DNR will take the following Corrective Actions:
3.1 Ensure compliance with the specified timelines in state statutes and existing daily deposit waivers.
Division of Parks and Trails staff are not always ensuring that receipts are deposited in accordance with
the approved deposit waiver timelines. These situations usually arise from reduced off-peak staffing
levels.
5 | P a g e
a. The DFS section manager will review the audit findings with unit supervisors, remind them of
current practices, and share interim corrective actions by September 15, 2020. The DFS section
manager will convene a group of unit supervisors and DFS fiscal staff to determine how best to
ensure compliance and more effective handling of deposits; the recommendations of the group will
be documented and implemented by January 1, 2021.
b. Unit supervisors will be responsible for ongoing oversight, monitoring and documentation of all
revenue operations within the unit, consistent the standardized compensating controls identified in
1.1a. Unit supervisors will monitor compliance with the deposit waiver and will document any
incidents of failure to comply and the appropriate corrective action taken to prevent reoccurrence.
c. District supervisors will be responsible for monitoring and documenting compliance by unit
supervisors within their district and for implementing corrective actions for non-compliance, which
will begin on January 1, 2021.
d. Every January, the DFS section manager will compile and review all deposit violation forms and will
provide a summary to the deputy director. The DFS manager will at least annually review
documentation, identify any patterns in incidences of non-compliance and system-level corrective
actions needed to avoid future noncompliance, and adjust training and communications accordingly.
The DFS manager will also maintain the records on the I:\drive to document and ensure compliance.
Audit Finding #4
The DNR did not have adequate controls to ensure the accuracy of deposits in the state’s accounting system.
Audit Recommendation: The DNR should implement procedures to complete a full reconciliation of state
park receipts between the point of sale system and the state’s accounting system.
Audit Recommendation: The DNR should determine the amount of remaining lost revenue and seek
vendor reimbursement.
DNR Response: The agency concurs that the controls to ensure the accuracy of deposits in the state’s
accounting system need to be examined and modified to ensure a full reconciliation between the vendor’s
system and the state accounting system. The agency also concurs with and has implemented, as documented
further in 4.3 below, the recommendation to determine and seek vendor reimbursement of the full amount of
lost revenue.
The DNR will take the following Corrective Actions:
4.1 Review and improve the reconciliation process and procedures. The Division of Parks and Trails and
OMBS are responsible for reconciliation between SWIFT, WIRES and any applicable sub-system. The
reconciliation process is conducted daily by the DFS section revenue staff. When a delay of more than a
day in payment to the bank from a credit card company occurs, DFS revenue staff have a tracking
procedure that documents the resulting daily overages and shortages. Staff add a correcting entry to
temporarily balance the account for the day of the credit card purchase and flag the transaction. If the
flagged transaction is not reconciled by the end of the week, DFS revenue staff contact the gateway
6 | P a g e
provider to reconcile payment and follow up on any discrepancies. Better documentation of this process
is needed, and the following actions will be taken to strengthen the reconciliation process:
a. By January 1, 2021, the DFS manager will review, revise and document this reconciliation process in
consultation with OMBS, the reservation system vendor, the gateway provider, and Parks and Trails
fiscal staff to ensure full documentation and reconciliation of receipts between the point of sale
system and the state’s revenue systems.
b. The DFS section manager will work with OMBS staff to establish a standardized process to review,
reconcile and document discrepancies by January 1, 2021.
4.2 Review the threshold above which discrepancies will be investigated and establish a standardized
discrepancy investigation process. The Parks and Trails Revenue Manual currently indicates that any
revenue shortage in excess of $50 must be investigated and signed off on by the unit supervisor. When a
discrepancy is found, the information is provided to DFS revenue staff. DFS staff then review the fiscal
reports from the reservation and accounting systems, and resolve or document the discrepancies in the
WIRES report. Patterns of discrepancies are documented and reported to the reservation coordinator
and/or the Parks and Trails business manager to investigate.
a. By December 1, 2020, the DFS manager will work with OMBS staff to review the specific threshold
for investigating discrepancies in receipting and to establish a standardized process to review,
reconcile and document discrepancies.
b. Unit supervisors will be responsible for ongoing oversight, monitoring and documentation of all
revenue operations within the unit, consistent with the policies and procedures outlined in the
Parks and Trails Revenue Manual. Unit supervisors are also responsible for timely addressing and
documenting all instances where discrepancies above this threshold occur and the corrective action
taken to both resolve the specific instance and prevent reoccurrence.
c. District supervisors will be responsible for quarterly monitoring and documentation of compliance
by unit supervisors within their district and for implementing corrective actions for non-compliance,
which will begin on March 31, 2021.
4.3 Determine and recover lost revenue due to the auto-void. Prior to the audit commencing, the DNR
began working with the vendor to identify and document a system flaw whereby the reservation system
software could automatically void a transaction prior to funds being deposited. This flaw was also
identified by the OLA. Voids are common when customers either change their minds mid-transaction or
make a reservation error and back out of the system. Consequently, it was difficult to catch errors that
resulted in actual lost revenues. It is only when park staff checked someone into a campsite, and found
that a payment wasn’t processed, that the discrepancy in payment was found. Parks and Trails staff
have identified and recovered the total revenue loss. Specifically, a contract amendment was fully
executed on February 27, 2020 to reduce the total payout to the vendor by $133,417.16 as a means of
recovering the remaining lost revenue (this includes $80,000 to address the auto-void error and
$53,417.16 to address call center response time issues).
7 | P a g e
Audit Finding #5
The DNR did not identify and remove unnecessary access in its point of sale system.
Audit Recommendation: The DNR should perform an annual review of user accounts to ensure
appropriate access to the point of sale system and immediately terminate unnecessary access.
Audit Recommendation: The DNR should design and implement a control to track access authorizations,
modifications, and terminations in its point of sale system.
DNR Response: The agency concurs with the finding that the agency did not identify and remove unnecessary
access to the system and the recommendations to address the finding.
The DNR will take the following Corrective Actions:
5.1 Conduct regular reviews of user accounts and update training materials and manuals. In October 2019,
the Division of Parks and Trails conducted a training that emphasized the need to suspend access that is
no longer needed, and reviewed the roles and responsibilities of staff who grant that access. Consistent
with MNIT Identity and Access Management Standards, the DNR implemented new procedures on
January 29, 2020 to better manage access to the system. The DNR is putting into place these additional
measures to assure full compliance with the MNIT standard by the end of 2020:
a. The DFS reservation coordinator will send out monthly reports of access roles and use to the unit
and district supervisors, who will review for compliance with unique logins and for any unnecessary
logins in need of suspension.
b. Unit supervisors will immediately suspend access for employees separating from service or going on
seasonal layoff. They will also review and manage user access at least monthly to ensure user
access is correct and up-to-date.
c. District supervisors will quarterly review employee access and ensure that proper access roles are
established.
d. By December 31 each year, the reservation coordinator will ensure the division is meeting the MNIT
standards through the following actions:
i. Spot check access documents to ensure appropriate access suspensions have been made.
ii. Review the access roles for the system and update manuals and training materials as needed.
iii. Add the following information to the MNIT access report: 1) who authorized access for each
person included in the report, 2) the job classifications for both those who authorized access
and those having access, and 3) a comment field to note any special circumstances.
iv. Review the access report to ensure that similar job classifications have the same level of
access and that those authorizing access are also at the same job class. Include a justification
for any special circumstances in the comment field and review/revisit each year.
v. Unit supervisors will work with the reservation coordinator annually to review the staff access
and assess whether the access level assigned to each staff member is appropriate for their
work responsibilities.
8 | P a g e
vi. Information on managing user access will be included in the updated Parks and Trails Revenue
Manual and associated trainings.
5.2 Design and implement an automated procedure to deactivate access after 30 days of inactivity. The
DNR’s reservation and point-of-sale system is provided by a third party. At the time of the audit, the
vendor’s system did not have a mechanism to automatically manage access to the system after a period
of inactivity; instead, this had to be accomplished manually. In November 2019, the DFS manager began
working with the vendor to program an automatic deactivation of users if they have not used the system
within a 30-day period. This is equivalent to what is programmed into SWIFT and SEMA4 to manage user
access. A deadline of March 31, 2021 has been established for the vendor to implement this tool.
Audit Finding #6
The DNR employees did not always use their own unique login when using the point of sale system.
Audit Recommendation: The DNR should enforce the requirement for employees to use their own unique
login when using the point of sale system.
DNR Response: The agency concurs with the finding that DNR employees did not always use their unique system
login and with the recommendation that the DNR should fully enforce the requirement.
The DNR will take the following Corrective Actions:
6.1 Increase oversight of staff and conduct unscheduled site visits to ensure compliance. DNR will enforce
compliance with this requirement through increased unit supervisor oversight, emphasizing the reasons
for and importance of this requirement, and peer discouragement of using another staff member’s
login. The following actions will be taken:
a. Unit supervisors will be required to proactively reinforce the reason for and importance of this
requirement and document, with corrective actions up to and including progressive discipline, all
instances where staff are observed in non-compliance (those allowing the use of their login and
those using a login not their own).
b. The DFS reservation coordinator will send out monthly login and use reports to the unit supervisors,
who will review for compliance with unique logins and for any unnecessary logins in need of
suspension.
c. District supervisors will quarterly observe and document front-desk transactions and ensure internal
control practices are being followed by all units in their district.
d. Assistant regional managers will be responsible for tracking spot-check documentation by the
district supervisors and will submit that documentation to the DFS manager in October of each year.
Documentation will be reviewed with regional staff in December of each year.
9 | P a g e
6.2 Establish a shortened automatic logout timeframe. Since staff are not consistently complying with the
requirement that they use their unique log in for transactions they complete, DNR implemented on
August 6, 2020 an automatic logout after 5 minutes of inactivity (previous logout window was every 15
minutes) as a way to prompt and enhance compliance. This is similar to the automatic logout
implemented by MNIT for state computers. If compliance has not improved by October 31, 2021 (as
measured by three quarters of district supervisor observations according to 6.1c), the DFS manager will
work with the vendor to log out users automatically after every transaction.
Audit Finding #7
The DNR did not always perform an annual physical inventory or, when the department completed a physical
inventory, it did not always investigate identified differences.
Audit Recommendation: The DNR should document an inventory policy to address the accuracy of
inventory records.
DNR Response: The agency concurs with the finding that local units did not always perform and/or document an
annual physical inventory and investigation of differences and the recommendation that DNR should document
an inventory policy to address the accuracy of inventory records.
The DNR will take the following Corrective Actions:
7.1 Ensure staff at every local unit follows a standard process to complete an annual physical retail
inventory, document the inventory in a report, and file the report in a central location. All completed
inventory audits (permits and sales merchandise) are required to be submitted electronically to the
Visitor Services and Outreach (VSO) section’s state program coordinator on forms approved for this
purpose. Permit audits are conducted each January and submitted in February. Merchandise audits are
conducted between October and November for retail locations that close for the cold-weather season,
and between January and February for the central warehouse and those locations that are open year
round. Reports are submitted no later than one month after close or after the independent vendor
counts are done. The following actions are being taken to ensure compliance with this established
control:
a. The Visitor Services and Outreach (VSO) section manager will lead a team to review and revise retail
inventory policies and standardized procedures for the Division of Parks and Trails no later than April
1, 2021. The policies and procedures will address the inventory control, reconciliation and reporting
for retail inventory. They will also include monitoring compliance and accountability including
corrective actions for non-compliance. These policies and procedures will be included in the Parks
and Trails Revenue Manual.
b. The VSO section will provide inventory management training, including inventory control,
reconciliation and reporting requirements to all division staff responsible for implementing and
overseeing retail operations no later than April 1, 2021 and to all applicable new employees as part
of their onboarding process.
c. Unit supervisors will be responsible for implementing inventory management procedures and
ensuring compliance with all policies and procedures in units they manage.
10 | P a g e
d. District supervisors are responsible for monitoring and documenting compliance by unit supervisors
within their district and for implementing corrective actions for non-compliance, which will begin on
April 1, 2021.
e. The VSO state program coordinator will ensure that all annual inventory reports are filed on the DNR
internal I:\drive by March 1 each year.
f. The VSO section will review documentation including compliance and corrective actions and
maintain the records on the I:\drive annually to ensure compliance by January 1, 2021.
g. The VSO state program coordinator will review the documents and report any questionable or
potential systemic patterns to the VSO manager for further investigation. All related documentation
of any corrective actions taken will be securely stored the DNR internal I:\drive
7.2 Establish a threshold for when to investigate retail inventory discrepancies. The VSO section manager
will work with a group of retail staff, unit supervisors, and central office fiscal staff to determine a
process by which discrepancies above an industry-standard threshold (for example, 2-5% is regarded as
standard “shrinkage”) must be investigated, including a timeline for reconciling those discrepancies. The
work group will develop and implement a new review process by January 1, 2021. Fall/winter 2020
inventories will be reviewed before reopening in the spring of 2021 using this new process.
7.3 Ensure compliance with monthly spot checks. The Parks and Trails Revenue Manual indicates locations
with merchandise for sale should conduct a random inventory spot check on a monthly basis. A recent
survey indicated that only a few sites were conducting these checks. If they were conducted, it was
usually for firewood inventory, and the spot checks were often not documented.
a. The VSO section manager will work with retail staff to develop new training and standard
documentation for spot checks that will be implemented in January 2021. This will include
emphasizing with retail staff and supervisors the importance of compliance with this requirement to
further ensure – and demonstrate – our commitment to excellence in public service and fiscal
management.
b. Unit supervisors will be responsible for implementing inventory management procedures and
ensuring compliance with all policies and procedures in units they manage.
c. District supervisors will be responsible for quarterly monitoring compliance by unit supervisors
within their district and for implementing corrective actions for non-compliance.
7.4 Use the permit inventory process to annually reconcile differences. Parks and Trails will review and
revise its permit inventory policies and procedures by January 1, 2021. This information will be included
in the Parks and Trails Revenue Manual.
a. Unit supervisors will be responsible for implementing permit audit policies and procedures and
ensuring compliance with all policies and procedures in units they manage.
b. District supervisors will be responsible for quarterly monitoring and documenting compliance by
unit supervisors within their district and for implementing corrective actions for non-compliance,
which will begin on April 1, 2021.
11 | P a g e
c. In February of each year, the VSO reservation system coordinator will review annual permit audits
and reconcile counts between the units and central inventory. The VSO state program coordinator
will provide a report of discrepancies to the VSO section manager.
d. Audits will be filed on the DNR internal I:\drive with all audit paperwork. The VSO section manager
will review the audit and investigate any discrepancies by April 1 each year.
Thank you again for the opportunity to review and discuss the OLA findings and recommendations resulting
from the recent park fees and retail sales audit, and to provide this response. DNR is committed to developing
and rigorously implementing the corrective actions identified here, to ensure the findings of this audit are
expeditiously resolved.
Please direct any questions or feedback about the information and actions included in this response to Parks
and Trails Division Director Erika Rivers at [email protected] or (651) 259-5591.
Sincerely,
Sarah Strommen
Commissioner, Department of Natural Resources
CC: Lori Leysen, Audit Director, OLA
Barb Naramore, Deputy Commissioner, DNR
Shannon Lotthammer, Assistant Commissioner, DNR
Erika Rivers, Director, Division of Parks and Trails, DNR
Mary Robison, Chief Financial Officer, DNR
Kathleen Shea, Internal Audit Manager, DNR
Equal Opportunity Employer
Financial Audit Staff
James Nobles, Legislative Auditor Education and Environment Audits Lori Leysen, Audit Director Kelsey Carlson Shannon Hatch Paul Rehschuh Heather Rodriguez Kris Schutta Zakeeyah Taddese Emily Wiant General Government Audits Tracy Gebhard, Audit Director Nicholas Anderson Tyler Billig Scott Dunning Daniel Hade Lisa Makinen Erick Olsen Sarah Olsen Valentina Stone Joseph Wallis Health and Human Services Audits Valerie Bombach, Audit Director Jordan Bjonfald William Hager Zachary Kempen April Lee Crystal Nibbe Duy (Eric) Nguyen Melissa Strunc
Information Technology Audits Mark Mathison, Audit Director Joe Sass Safety and Economy Audits Scott Tjomsland, Audit Director Ryan Baker Bill Dumas Gabrielle Johnson Shelby McGovern Alec Mickelson Tracia Polden Zach Yzermans
For more information about OLA and to access its reports, go to: www.auditor.leg.state.mn.us. To offer comments about our work or suggest an audit, evaluation, or special review, call 651-296-4708 or email [email protected]. To obtain printed copies of our reports or to obtain reports in electronic ASCII text, Braille, large print, or audio, call 651-296-4708. People with hearing or speech disabilities may call through Minnesota Relay by dialing 7-1-1 or 1-800-627-3529.
Printed on Recycled Paper
OFFICE OF THE LEGISLATIVE AUDITOR CENTENNIAL OFFICE BUILDING – SUITE 140
658 CEDAR STREET – SAINT PAUL, MN 55155
O L A